What public DNS can and cannot show

Public DNS can show visible records at a point in time. It can support careful questions about posture and change, but it cannot explain private context or intent by itself.

DNS evidenceInterpretation limitsPublic records

Direct answer

Public DNS can show records that are deliberately visible to the internet, such as nameservers, address records, mail routing records and TXT records. It cannot show the full internal reason for a change or whether the visible position is intended.

Plain-language explanation

DNS is public by design. It helps other systems discover how to reach a domain's website, mail services and other internet-facing resources. Because those records are public, they can be observed without access to private systems.

That makes public DNS useful for transparency and governance. It can show where a domain appears to point, which provider families are visible, whether mail posture records exist, and whether those records changed between observations.

The same public nature also creates a limit. A visible DNS record does not explain why it exists, who approved it, whether it is part of a planned project, or what private monitoring and controls show internally.

Why it matters

Public DNS sits at the edge of organisational trust. It is often where websites, mail posture, DNS hosting and infrastructure providers become visible to outsiders.

For governance, communications and technical readers, the useful question is not whether a single DNS record is good or bad. The useful question is whether public-facing records are known, explainable and consistent with expected ownership.

What .auDO observes

  • nameservers and inferred DNS provider context
  • A and AAAA address records
  • MX records and inferred email provider context
  • TXT records including DMARC and SPF-related public records
  • DNSSEC-related public evidence where visible
  • changes between repeated observations across the fixed panel

What it can tell us

  • which public DNS records were visible at collection time
  • whether a record appeared, disappeared or changed between observations
  • whether visible provider patterns changed
  • whether mail, DNS or infrastructure posture appears stable or moving
  • whether public evidence is worth reviewing alongside registration and report context

What it cannot prove

  • why a DNS change occurred
  • whether a change was authorised or expected
  • whether the internal service behind a record is functioning as intended
  • whether a supplier relationship is active beyond what public records suggest
  • whether private logs, monitoring or contracts support the same interpretation
  • whether governance is strong or weak on the basis of DNS alone

Practical governance questions

  • Do we know which public DNS records matter most for our domains?
  • Are expected providers, mail routes and verification records documented?
  • Can we explain material DNS movement after it appears publicly?
  • Are DNS records reviewed when domains move between suppliers or projects?
  • Do non-technical owners understand that DNS is part of public trust posture?

Public DNS can support better governance conversations, but it is not a complete internal record. The Domain Governance Baseline helps separate visible signals from internal accountability questions.

These signal pages explain the public DNS fields most relevant to this explainer.

State pages summarise aggregate posture across the current .auDO observation panel. They are summaries, not scores.

Explore observed context

For broader context, compare public DNS evidence with dated reports, observed cohorts and the methodology notes. These pages help separate observation from interpretation.